14376: XSS in version 3.15.5 - Survey Resource zip upload - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

256

ID	Project	Category	View Status	Date Submitted	Last Update

14376	Bug reports	Security	public	2018-12-20 18:54	2019-04-30 09:11

Reporter	manuelvsousa	Assigned To	DenisChenu
Priority	urgent	Severity	partial_block
Status	closed	Resolution	fixed
Product Version	3.15.x
Fixed in Version	3.15.x

Summary	14376: XSS in version 3.15.5 - Survey Resource zip upload
Description	By performing this attack, a zip file when uploaded as Survey resource can execute javascript code in order to steal important parts of admin cookie (CSRF tokens, etc). This works by uploading a file with a payload. In this case I used the name <svg onload=alert(document.cookie)>.php Then we also have to have a .xml file with the file in order to get the upload right. In this case, the xml must contain: `<logo> <filename>files/<svg onload=alert(document.cookie)>.php</filename> </logo>` Check the attached exploit.zip in order to check more details
Steps To Reproduce	Create a Survey. Click on that survey In the main panel go to resources Upload the exploit.zip file Check the javascript alert as PoC
Additional Information	Other upload parts of this project might be vulnerable using this payload.
Tags	No tags attached.
Attached Files	exploit.zip (5,965 bytes)

Bug heat	256
Complete LimeSurvey version number (& build)	3.15.5
I will donate to the project if issue is resolved	No
Browser	Latest version of Google Chrome and Firefox
Database type & version	Ver 9.1 Distrib 10.1.34-MariaDB
Server OS (if known)	Ubuntu 18.04.1 LTS
Webserver software & version (if known)
PHP Version	7.2

User List	There are no users monitoring this issue.

DenisChenu 2018-12-21 12:38 developer ~50059	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=28689

DenisChenu 2018-12-21 12:43 developer ~50060	Some other fix to do at another place … About svg : i think we have an issue here : we allow svg but svg can contains bad JS, and we don't filter SVG …

DenisChenu 2018-12-23 21:51 developer ~50071	Waiting for release :)

ollehar 2019-01-16 17:30 administrator ~50234	Fix committed to develop branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=28760

manuelvsousa 2019-01-24 15:46 reporter ~50301	I guess this can go public now :) . Thank you for fixing it and making the product more secure.

LimeSurvey: master bfee69ed 2018-12-21 13:38 DenisChenu Details Diff	[security] Fixed issue 14376: XSS in Survey Resource zip upload [security] Fixed issue : XSS in theme zip upload Dev: CHtml::encode filename (whole) when view Dev: Same with import theme Dev: some other fix to do : reporting issues	Affected Issues 14376
	mod - application/views/admin/survey/importSurveyResources_view.php	Diff File
	mod - application/views/admin/themes/importuploaded_view.php	Diff File
	mod - application/views/admin/themes/templatesummary_view.php	Diff File
LimeSurvey: develop 11e5076d 2018-12-21 13:38 DenisChenu Committer: ollehar Details Diff	[security] Fixed issue 14376: XSS in Survey Resource zip upload [security] Fixed issue : XSS in theme zip upload Dev: CHtml::encode filename (whole) when view Dev: Same with import theme Dev: some other fix to do : reporting issues	Affected Issues 14376
	mod - application/views/admin/survey/importSurveyResources_view.php	Diff File
	mod - application/views/admin/themes/importuploaded_view.php	Diff File
	mod - application/views/admin/themes/templatesummary_view.php	Diff File

Date Modified	Username	Field	Change
2018-12-20 18:54	manuelvsousa	New Issue
2018-12-20 18:54	manuelvsousa	File Added: exploit.zip
2018-12-21 11:37	DenisChenu	Assigned To	=> DenisChenu
2018-12-21 11:37	DenisChenu	Status	new => assigned
2018-12-21 11:37	DenisChenu	Priority	none => urgent
2018-12-21 11:37	DenisChenu	Description Updated
2018-12-21 11:37	DenisChenu	Steps to Reproduce Updated
2018-12-21 12:38	DenisChenu	Changeset attached	=> LimeSurvey master bfee69ed
2018-12-21 12:38	DenisChenu	Note Added: 50059
2018-12-21 12:38	DenisChenu	Resolution	open => fixed
2018-12-21 12:43	DenisChenu	Status	assigned => resolved
2018-12-21 12:43	DenisChenu	Fixed in Version	=> 3.15.x
2018-12-21 12:43	DenisChenu	Note Added: 50060
2018-12-23 21:51	DenisChenu	Note Added: 50071
2019-01-16 17:30	ollehar	Changeset attached	=> LimeSurvey develop 11e5076d
2019-01-16 17:30	ollehar	Note Added: 50234
2019-01-24 15:46	manuelvsousa	Note Added: 50301
2019-01-24 16:05	DenisChenu	View Status	private => public
2019-04-30 09:11	c_schmitz	Status	resolved => closed

View Issue Details

Users monitoring this issue

Activities

Related Changesets

Issue History